The SMS worm Selfmite is back, and its even nastier than before

Watch out smartphone users-- the SMS worm Selfmite is back, and now it's even nastier
than ever, and worse: it's now global.

The pesky worm, which first surfaced in June of this year and affects Android smartphones and tablets,
has spawned a new version. Are you surprised? Why would you be?

The Selfmite-B virus infects many more users, uses several money-making techniques and is generally
more dangerous and difficult to stop, warns mobile security firm Adaptive Mobile.

To be sure, AdaptiveMobile has tracked more than 150,000 messages sent over the past ten days from
over one-hundred compromised devices found in sixteen countries. The latest version of the worm
has generated 100 times more traffic than its older sibling, Selfmite-A.

“This is the same old Selfmite worm but this time returning on strong steroids,” said Denis Maslennikov,
the security analyst at AdaptiveMobile who discovered the latest version of the worm.

“It’s more aggressive and self-propagating capabilities simply means more victims will be caught
in its wake. Additionally, it uses several links to engage with users, increasing its monetization
potential at the same time. This additional level of complexity makes Selfmite-B a real concern for both
wireless carriers and users.”

Users get infected if they download and install malicious APK files from URLs contained in text
messages spammed out by already compromised devices.

Once installed, Selfmite-B sends messages to all of the contacts in a user’s phone in a loop,
which means that potential victims will continue to receive messages until the mobile carrier detects
and blocks these messages or the owner deletes the malware.

The cybercrooks behind the scam have come up with multiple ways to make money, mostly through dodgy
affiliate programs.

Users are either directed to an application in Google Play after clicking on the installed worm icon,
or they click on other icons that Selfmite-B has placed on their desktops and are therefore redirected
to unsolicited subscription websites.

The virus also varies content according to IP addresses, so that users in different countries will
be redirected to different websites.

The URLs most immediately associated with the spread of the worm have been consigned into oblivion
but this does not necessarily mean that the current outbreak is wholly contained.

"We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been
deactivated," AdaptiveMobile said. "But the fact that the author (s) of the worm can change it remotely
using a configuration file makes it harder to stop the whole infection process."

A blog post by Adaptive Mobile - including screenshots of a code snippets - gives a more in-depth
look at the malware and the damage it can inflict.